Zurich |
- Association of citations to controls
- In many compliance frameworks, a single control objective may be referenced by multiple citations across different standards, regulations, or policy requirements. Without proper association management, organizations risk
duplicating controls, misinterpreting coverage, or inaccurately reporting compliance. The association of citations to controls feature addresses this challenge by enabling users to associate controls with citations directly.
When this feature is enabled, compliance scores update dynamically based on the status of directly associated active controls.
- Enhancements to control objectives rationalization process
- The following enhancements have been introduced to the rationalization process of control objectives:
- Rationalization process is now automatically created when selecting the Rationalize button in the control objective page.
- The recommendation workflow has been simplified into a two-step process: Step 1 identifies duplicates by accepting or dismissing recommendations; Step 2 finalizes by retaining one recommendation or creating a new common
control objective.
- Approvals for the rationalization process are skipped for owners who are reviewers, and levels where all reviewers are owners are automatically approved.
- Owners and approvers can add comments and justifications directly on recommendation cards and reply to existing comments.
- The user interface has been updated with better navigation, quick summaries, visual improvements, and clear error messages.
- Citation impact analysis and updates with Now Assist for IRM
- When a citation’s description or supplemental guidance is updated, Now Assist identifies related control objectives that might be affected. It reviews these control objectives to determine whether the descriptions or
guidance need changes and provides suggested updates. Users can review, provide feedback, and approve these updates directly in the Now Assist panel, ensuring that citation changes are reflected in associated control
objectives.
- Enhancements to control objectives and controls
-
The following enhancements have been introduced to control objectives and controls:
- The Control objective requirements option provides a granular layer under a control objective. When each control objective has multiple statements, each statement becomes a control objective requirement.
- The Create control requirements option generates control requirements automatically for every control generated under an entity type.
- The Attestation at control requirement level enables attestation at a granular level for individual control requirements within a control.
- Enhancements to policy exception and extension requests
- The following enhancements have been introduced:
- For policy exception and extension requests, approvers can now view key details, such as justification, reason, and validity period, within a pop-up before approving or rejecting a policy exception or policy exception
extension.
- For manual indicators, if the associated control is marked as exempt, no indicator task is generated.
- When a policy exception is in the Analyze state and the Awaiting Requested Information sub-state, the interface now includes a Send Information button that allows the requester to provide additional details or
clarifications requested by the approver.
- Previously, an issue-based exception required a linked policy or control objective for additional approvals. Now, it requires any one of the following: a linked policy, control objective, or control. The control must be
linked to the policy exception itself, not just to the issue.
- GRC Approval Configurator
-
The GRC Approval Configurator can now be used to manage both policy exception and extension approvals. It allows verification, approval, and extension rules to be defined based on state, sub-state, and other filter
conditions, with support for multiple user groups and multi-level approvals. This enhancement provides greater flexibility in assigning appropriate approvers at each level based on defined conditions, facilitating structured
and collaborative reviews. For extension approvals, users can now configure multiple approvers, overcoming the previous limitation of a single default approver (Compliance Manager).
- Common Control Objective Creation
- Use Generative AI to merge similar control objectives into a single, consolidated common control objective. The system automatically populates the name, description, and guidance fields from the accepted duplicates,
eliminating the need to manually select a primary control objective.
- Entity based record access rules to secure new records
-
When entity based record access rules are enabled on the Entity Based Access Configuration Properties page, any newly created controls, control attestations, indicators, and indicator tasks associated with a configured
entity will automatically inherit the entity-based access (EBA) value from that entity. Previously, users had to run bulk access updates to apply EBA restrictions whenever new objects were created.
Additionally, when a standard control is converted to a common control, the Entity based access restriction option is inactive by default. Users can manually enable the EBA option for common controls
directly from the Access Settings section in the Details tab of the respective control.
|
Australia |
- Personal authentication and document access permissions in policy authoring
- After upgrading Policy and Compliance Management to 22.3.2, you can enable personal authentication for policy authoring in Microsoft SharePoint and Google Drive. When enabled, policy authoring uses a hybrid authentication model. Create,
connect, and upload operations run under the logged-in user's personal credentials, while document access permission grants and content sync always run under the shared service account. This approach supports audit
traceability at the individual user level for document operations and keeps access management and sync consistent regardless of who initiates them.
- Dashboard access from Compliance Workspace
- After upgrading to 22.3.2, you can access Policy and Compliance Management dashboards directly from the Compliance Workspace.
- The following dashboards are available:
- Compliance Overview
- Policy Acknowledgement
- Policy Exception Overview
- Policy Overview
- These dashboards are also accessible from the Platform Analytics application.
- Assessment template versioning
- After upgrading Policy and Compliance Management to 22.3.2, CRI tiering questionnaire, CRI profile assessment, and control assessment templates support versioning. Template managers can create and publish new versions of
these templates over time. When a CRI tiering questionnaire, CRI profile assessment, or control assessment is initiated, the assessment is generated using the latest published version of the template.
- Role-based workspace redirection for email notification links
- After upgrading Policy and Compliance Management to 22.3.2, email notification links for Policy and Compliance Management records redirect users to their appropriate workspace based on their assigned roles. Users without a workspace role
are redirected to the GRC Task Page, or to the classic UI if the common workspace is not installed. The following record types support workspace redirection: Controls, Evidence, Control risk indicators, Indicator task, Policy
acknowledgments, and Policy exceptions.
- Control objective workflow
- After upgrading Policy and Compliance Management to 22.0.1, the new Control objective workflow feature introduces a structured lifecycle for managing control objective records. Enable this feature using the Enable Control
Objective Workflow property under and is disabled by default.
-
- When disabled, only the State field is added to control objective records. Active records show Published, inactive records show Retired, and new records default to Draft.
- When enabled, control objectives move through: Draft, Review, Approved, Current version, and Retired. The following new fields are also introduced: State, Effective date, Revision type, and Record nature.
- Editing a published control objective creates a working draft, keeping the published record active until approved changes are published.
- Users must select a revision type: Major or Minor. A Major revision moves associated controls back to Draft. A Minor revision applies updates without moving controls back to Draft.
- The Owner and Owning Group fields control who can edit the control objective and perform workflow actions.
- Rationalizing control objectives
- After upgrading Policy and Compliance Management to 22.0.1, both Unified Compliance Framework (UCF) control objectives and non-UCF control objectives can be rationalized together.
- Recommendation cards show a Source field to indicate whether it originates from UCF or a non-UCF source.
- As UCF control objectives cannot be deactivated, the Identify Duplicates and Finalize sub-states guide the users to retain the UCF control objective. Any UCF recommendations that are not retained are automatically
dismissed when the user requests review.
- Only one UCF control objective can be retained at a time. If you retain a different UCF control objective, the previously retained one is automatically dismissed.
- When rationalization is complete, the retained UCF control objective stays active, accepted non-UCF recommendations are deactivated, and any dismissed UCF control objectives remain active and unchanged.
|